For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ed_26015's avatar
Ed_26015
Icon for Nimbostratus rankNimbostratus
Dec 04, 2010

Source routing with iRules

Hi all,     I hope you can help.     I have two interfaces on the F5 that connect back to a Cisco PIX again on different interfaces.     Topology is 10.130.4.1 & 10.130.32.1 for the ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 06, 2010
Hi Ed,

For performance and ease of management, you could combine all of the addresses/subnets that have a common destination IP into an address datagroup and then use matchclass (9.x) or class match (10.x) to look up the client IP. To check whether a match is being made, you could add logging to the iRule: 


when CLIENT_ACCEPTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: destination [IP::local_addr]:[TCP::local_port]"

    Check if client IP is in the my_subnets_class datagroup
   if {[class match [IP::client_addr] equals my_subnets_class]}{
      log local0. "[IP::client_addr]:[TCP::client_port]: Matched my_subnets_class, using 10.130.32.1"
      node 10.130.32.1
   } else {
      node 10.130.4.1
      log local0. "[IP::client_addr]:[TCP::client_port]: Matched my_subnets_class, using 10.130.32.1"
   }
}

If you're testing with ICMP, make sure your virtual server type is defined as all protocols.

Aaron